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Abstract. We study generalized fixed-point equations over idempotent 
semirings and provfde an efficient algorithm for the detection whether a 
sequence of Kleene's iterations stabilizes after a finite number of steps. 
Previously known approaches considered only bounded semirings where 
there are no infinite descending chains. The main novelty of our work 
is that we deal with semirings without the boundedness restriction. Our 
study is motivated by several applications from interprocedural dataflow 
analysis. We demonstrate how the reachability problem for weighted 
pushdown automata can be reduced to solving equations in the frame- 
work mentioned above and we describe a few applications to demonstrate 
its usability. 



1 Introduction 

Weighted pushdown systems [19] are a suitable model for analyzing programs 
with procedures. They have been used successfully in a number of applications, 
e.g. BDD-bascd model checking [22,7], trust-management systems [10], path 
optimization [13], and interprocedural dataflow analysis (see [18] for a survey). 

The main idea is that the transitions of a pushdown system are labelled 
with values from a given data domain (e.g. natural numbers). These values can 
be composed when executed in sequence (e.g. using the addition on natural 
numbers) and one is then interested in a number of verification questions like 
reachability of a given configuration with the combined value over all paths 
leading into this configuration (e.g. by taking the minimum value over all such 
paths). It has been shown that there are efficient polynomial time algorithms for 
answering these questions [19]. 

In this paper, we contribute to the research in this area. We first draw a 
connection between reachability in weighted pushdown systems (WPDS) over an 
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idempotent semiring and solving fixed-point equations over the same semiring. 
Unlike related work, we allow for infinite descending chains in our semirings 
(our approach e.g. includes the integer semiring). Due to this reason, the system 
of equations constructed from a WPDS may not have a solution. We therefore 
provide an efficient algorithm that either determines the solution or detects the 
presence of an infinite descending chain. In the latter case, we output sonic 
component (variable) of the system affected by the problem. So on one hand 
we treat domains with infinite descending chains but on the other hand, two 
restrictions are necessary to make this possible. However, as argued in Section 4, 
the framework still includes a number of interesting applications. 

For better readability some proofs have been moved to an appendix. 

1.1 Dataflow Analysis and Fixed-Point Equations 

Static analysis gathers information about a program without executing it. Data- 
flow analysis is an instance of static analysis: it reasons about run-time values 
of variables or expressions. More to the point, we desire to establish facts that 
hold at some control point whenever an execution reaches it. 

Most approaches to dataflow analysis reduce the problem (explicitly or im- 
plicitly) to solving a system of fixed-point equations over some algebraic struc- 
ture, e.g. a lattice or a semiring. They map the control-flow graph of a program 
to an equation system X = f(X), where the vector X = (X 1; . . . , X n ) stands 
for the nodes in the control flow graph, and takes values from some dataflow 
domain. The vector / = (fx, ... , f n ) stands for the edges in the graph, i.e., the 
transfer function fi(X) describes the effect of the program on Xi in terms of 
the other dataflow values. Under certain conditions (e.g., the functions fa are 
distributive) the desired dataflow information is precisely the greatest solution 
of the system X = f(X), i.e., the greatest fixed point gfp(f) of / [17,21]. 

There is a large body of literature dealing with dataflow analysis along these 
lines. Of particular interest to us are intcrprocedural analyses. The seminal work 
of Sharir and Pnueli [21] shows how to set up an equation system that captures 
only the interprocedurally valid paths, i.e. those paths in which all return state- 
ments lead back to the site of the most recent call. However, [21] computes only 
one dataflow value for each program point, merging together all the paths that 
reach it, regardless of the calling context. In [19] a generalization was provided, 
where the solution of the equations computes a solution for each configuration, 
where configuration denotes a program point together with its calling context. 
Thus, [19] allows to distinguish dataflow values for different, arbitrary calling 
contexts. (The merged information can still be obtained as a special case.) The 
results of [19] were phrased in terms of weighted pushdown systems (WPDS), 
and we will adopt this notion in our paper. 

If the dataflow domain satisfies the so-called descending chain condition 
(i.e. each infinite descending chain eventually becomes stationary), gfp(f) can 
be obtained by Kleene 's iteration: Let be the greatest domain element, and 
= (0, . . . , 0). Then Klcene's fixed-point theorem guarantees that the sequence 



0, /(0), /(/(0)), . . . reaches gfp(f) after finitely many steps. Both [21] and [19] 
require the descending chain condition. 

However, the descending chain condition does not always hold. For example, 
the lattice of non-positive integers with n = min and U = max does not satisfy 
the condition because of the infinite descending chain 0, —1, —2, .... In fact, this 
chain arises when doing Kleene's iteration on the equation X = f(X) where 
f(X) = min(X, X — 1). More to the point, Kleene's iteration on / would fail to 
terminate. We will show how to overcome this problem. 

Previous work (e.g., [19]) has shown that many important analysis problems 
can be phrased as equation systems, where f(X) contains polynomials over 
idempotent semirings. By polynomial, we mean an expression that is built up 
from variables, constant elements, and the semiring operations '0' (combine) 
and '& (extend). 

Recently, fixed-point equations over idempotent semirings have been studied 
intensively. While the classical solution is to use Kleene's iteration or chaotic 
iteration, recent work has proposed faster algorithms and better convergence 
results based on Newton's method [9,5,4,6]. In these works, the boundedness 
condition is dropped, but replaced by another condition called aj-continuity, re- 
quiring that the infimum of every infinite set exists, thus ensuring that a greatest 
fixed point can always be found. Our work does not require this condition, and a 
greatest fixed point is not always guaranteed to exist (but our algorithm detects 
such a case and reports it). The penalty for this is that a different kind of re- 
striction has to be introduced: we require that semirings are totally ordered and 
that "extend preserves inequality" , i.e., a ® c ^ b ® c for a ^ b and a,b,c ^ 0. 

Our algorithm executes Kleene's iteration, and if the iteration terminates, 
it outputs the greatest fixed point. If Kleene's iteration fails to terminate, our 
algorithm will detect this and still terminate, indicating a responsible variable 
(a so-called witness component). 

The work closest to ours is the one by Gawlitza and Seidl [8] , who consider 
systems of equations over the integer semiring. Our algorithm can be seen as 
a generalization of one of their algorithms to totally ordered semirings where 
extend preserves inequality and to equations over arbitrary polynomials. More- 
over, we provide a direct and self-contained proof of the result. Another related 
work is by Leroux and Sutre [14]. They present an algorithm for computing 
least fixed-points for monotone bounded-increasing functions over integers. On 
one hand they consider more general functions like e.g. factorials, on the other 
hand the minimum and maximum functions are not bounded-increasing accord- 
ing to their definition. As a result, their algorithm is not applicable in our setting 
of weighted pushdown systems. 

We proceed as follows: In Section 2, we provide a new algorithm for solving 
fixed-point equations. Using this result, we design a new algorithm for inter- 
procedural dataflow analysis in Section 3, which is based on WPDS [19] and 
still requires a polynomial number of semiring operations. Like previous work on 
WPDS, the algorithm allows to compute dataflow information for each configu- 
ration (if desired). Due to the properties of the systems we handle, our algorithm 



either returns a solution (if it exists) or reports that none exists (usually indi- 
cating an error in the program). We provide several applications of our theory 
in Section 4. 

2 Fixed-Point Equations over Idempotent Semirings 

In this section we shall study fixed-point equations over idempotent semirings 
and Klccne's iterations over vectors of polynomials. 

Definition 1 (Idempotent Semiring). An idempotent semiring is a 5-tuple 
S = (-D, ©, ©, 0, 1) where D is a set called the domain, 0, 1 £ D , and the binary 
operators combine '© ' and extend '®' on D satisfy: 

1. (D, ©) is a commutative monoid with as its neutral element and (D, ®) is 
a monoid with 1 as its neutral element, 

2. extend distributes over combine, i.e., Va, 6, c £ D : a©(6ffic) = (a©6)©(a©c) 
and (a © b) ® c = (a ® c) © (6 © c), 

3. is an annihilator for extend, i.e., Va<EZ?:a©0 = 0®a = 0, and 
4- every a £ D is idempotent w.r.t. combine, i.e., Va £ D : a © a = a. 

Definition 2 (Ordering). We write a C b for a,b £ D whenever a © b = a. 

As we are mainly interested in algorithmic verification approaches, we shall 
implicitly consider only computable semirings where the elements from the do- 
main are effectively representable, operations combine and extend are algorith- 
mically computable and the test on equality is decidable. We will use the big-O- 
notation for complexity upper-bounds, though it should be always interpreted 
relative to the complexity of the semiring operations. In the semirings consid- 
ered in our applications, we can assume that all operations can be performed in 
O(l) time. Hence the big-O-notation for the semirings mentioned in this paper 
corresponds to the standard asymptotic complexity. 

Lemma 1. (i) For all a,b £ D it holds that a©&Ca. (ii) For all a,b,c £ D it 
holds that if a \—b then a © c C b ® c. 

The proof of Lemma 1 is straightforward. We shall now define an additional 
condition on the extend operator that will be used later on in this section. 

Definition 3 (Extend Preserves Inequality). Given an idempotent semir- 
ing we say that extend preserves inequality if a ^ b implies that a ® c ^ b © c 
for any a,b,c £ D \ {0}. 

Example 1. The tuple Si n t = (^oo, min, +, oo, 0) is an idempotent semiring. The 
domain are the integers extended with infinity = ZU{oo} where min(oo, a) = 
min(a, oo) = a and a + oo = oo + a = oo for all a £ Z m . Combine is the minimum 
and extend is the usual addition on integers. It is easy to see that Si n t meets 
the requirements of Definition 1. It moreover preserves inequality because the 
addition does so, and C is a total order. 



Another example of an idempotent semirings is S ra t = (Q[0, 1], max, *, 0, 1) 
which is the semiring defined over the rationals in the interval from to 1. 
Here combine is the maximum and extend is the multiplication on rationals. 
This semiring S ra t also meets the requirements of Definition 1 , extend preserves 
inequality and C is a total order. □ 

In what follows we fix an idempotent semiring S — (D, ©, ©, 0, 1). We often 
omit the ® sign in "products", i.e., we write ab for a © o. We also fix a set 
X = {Xi, . . . ,X n } of variables. Now we define vectors of polynomials over S 
and their fixed points following [4] . 

Let V = D n denote the set of vectors over S. We use bold letters to denote 
vectors, e.g., v = (v\, . . . , v n ). We also write X = {Xx, ■ ■ ■ , X n ) to arrange the 
variables from X in a vector. We extend C to vectors by setting u\—v\iuiQvi 
for all 1 < i < n. 

A monomial is a finite expression aiXi 1 a2Xi 2 ■ ■ ■ a s Xi 3 a s +i where s > 0, 
oi, . . . , a s +i G D and Xi 1 , . . . , Xi s G X. A polynomial is an expression of the 
form mi © • • • © m s where s > and mi, . . . , m s are monomials. The value of a 
monomial m = aiXi 1 a2 ■ ■ ■ a s Xi a a s+ i at v is m(u) = aiV^a2 ■ ■ ■ a s u, a a s +i G -D. 
The value of a polynomial / = mi©- ■ -®m s at v is f(v) = mi(u)©- • -®m s (u). 
A polynomial induces a mapping from V to D that assigns to v the element 
A vector of polynomials / = (/i, . . . , f n ) is an n-tuple of polynomials; it 
induces a mapping from V to V that assigns to a vector v the vector f(v) = 
(fi(v), . . . , f n (v)). A fixed point of f is a vector t> that satisfies d = /(f). A 
greatest fixed point of / is a fixed point v such that v' C v holds for all other 
fixed points v'. The size K(f) of a vector of polynomials / is the total number 
of © and © operators in /. In particular, given a vector v, it takes 0(K(f)) 
time to compute f(v). 

Example 2. Consider the semiring Si n t from Example 1. Let X = {Xi, X2, A3}. 
Then / = (— 2 © X 2 © X 3 , X 3 (g> 1, Xi © X 2 ) is a vector of polynomials over Si nt . 
It can be rewritten as / = (min{— 2, A 2 + A 3 }, A 3 + 1, min{X 1; X 2 })- The size 
if (/) equals 4. □ 

It is easy to see that polynomials arc monotone and continuous mappings 
w.r.t. C, see Lemma 1. Kleene's theorem can then be applied (see e.g. [12]), 
which leads to the following proposition. 

Proposition 1. Let f be a vector of polynomials. Let the Kleene sequence 
(K( fe )) fceN be defined by =0 and K ( - k + 1 ^ = /(k W ). 

(a) We have ^ k+1 ^ □ for all keN. 

(b) If a greatest fixed point exists then it is the infimum of {k^ \ k G N}. 

(c) If the infimum of {k,^ \ k G N} exists then it is the greatest fixed point. 

Proposition 1 is the mathematical basis for the classical fixed-point iteration: 
apply / until a fixed point is reached, which is, by Proposition 1 (c), the greatest 
fixed point of /. We call this method Kleene 's iteration. In general, Kleene's 
iteration does not always reach a fixed point. Some equations, like X = X © (— 1) 



over Si n t, do not have any (greatest) fixed point, other equations might have 
a greatest fixed point but it is not achievable in a finite number of Kleene's 
iterations (consider for example the above equation but over the semiring Si n t 
extended with the element -co). It is not a priori clear how to detect whether 
Kleene's iteration terminates, i.e., computes the greatest fixed point in a finite 
number of iterations. 

Algorithm 1 (called "safe Kleene's iteration" ) solves this problem. If Kleene's 
iteration reaches the greatest fixed point, then the algorithm computes it. Other- 
wise it outputs a witness component where Kleene's iteration does not terminate. 
Formally, a witness component is defined as follows. 

Definition 4 (Witness Component). Let f be a vector of polynomials over 
an idempotent semiring. A component i (1 < i < n) is a witness component if 
{n\ k ^ | k > 0} is an infinite set. 

In our applications, the presence of a witness component pinpoints a problem of 
the analyzed model which the user may want to fix. More details are given in 
Section 4. 

Algorithm 1 is based on the generalized Bellman- Ford algorithm of [8] for Si n t 
and generalizes it further to totally ordered semirings where extend preserves 
inequality and to equations over arbitrary polynomials. 



Algorithm 1 Safe Kleene's iteration 

Input: A vector of polynomials / = (/i, . . . , /„) over an idempotent semiring S = 

(D, ®, ®, 0, 1) s.t. C is a total order and where extend preserves inequality. 
Output: Greatest fixed point of / or a witness component. 
1: «(°) := 

2: for k := 1 to n + 1 do 
3: nO^/titM) 
4: end for 

5: if 3z with 1 < i < n such that 7^ k'™' then 

6: return "Kleene's iteration does not terminate. Component i is a witness." 
7: else 

8: return "The vector K (n) is the greatest fixed point." 
9: end if 



Theorem 1. Algorithm 1 is correct and terminates in time 0(n ■ K(f)). 

Algorithm 1 on its own is very straightforward, and its proof for polynomials 
of degree only 1 would directly mimic the proof of Bellman- Ford algorithm. Our 
contribution is that we prove that it works also for polynomials of higher degrees 
where more involved technical treatment is necessary Full details can be found 
in Appendix A. 

Remark 1. In the integer semiring Si„t, Algorithm 1 can be extended such that it 
computes all witness components and for the remaining terminating components 



returns the exact value. This is done as follows. The main loop on lines 2-4 is run 
once again, but the components that still change are assigned a new semiring 
element "— oo" on which the operators "+" and "min" act as expected. Thus, 
— oo may be propagated through the components during the repetition of the 
main loop. At the end, all components that are not — oo have reached their final 
value, all others can be reported as witness components. For details see [8]. 

Example 3. Consider again the vector of polynomials from Example 2: 

/ = (min{-2,X 2 + A 3 }, X 3 + 1, mm{X 1 ,X 2 }) . 

Kleene's iteration produces the following Kleene sequence: k 1 - ^ = (00,00,00), 
K« = (-2, 00, 00), k( 2 ) = (-2, 00, -2), k< 3 ) = (-2, -1, -2), k( 4 ) = (-3, -1, -2). 
As k; 3 ' = — 2 =/= —3 = , Alg. 1 returns the first component as a witness. □ 

Notice that Algorithm 1 merely indicates whether a greatest fixed point can 
be found using Kleene's iteration or not. Even if Algorithm 1 outputs a witness 
component, a greatest fixed point may still exist (and be found by other means). 
An example is a semiring over the reals which can admit the sequence 1/2™ for 
some variable. This sequence converges to 0, but Kleene's iteration fails to detect 
this. Nevertheless, for some semirings like Si n t used in our applications, we can 
make the following stronger statement. 

Corollary 1. Algorithm 1 applied to polynomials over the semiring Sint finds 
the greatest fixed point iff it exists. If it does not exist, all witness components 
can be explicitly marked. 

Proof. In Si n t a component is a witness component iff Kleene's iteration does not 
terminate in that component. The rest follows from Definition 4, Proposition 1 
and Remark 1. □ 



3 Weighted Pushdown Systems 

In this section we will use the fixed-point equations studied in the previous sec- 
tion for reasoning about properties of weighted pushdown systems (WPDS) [19]. 
We are interested in applying Theorem 1 to weighted pushdown systems; there- 
fore we implicitly consider only semirings that are totally ordered, and where 
extend preserves inequality. 

Definition 5 (Weighted Pushdown System). A weighted pushdown system 
is a J^-tuple W = (P,P,A,S), where P is a finite set of control states, r is a 
finite stack alphabet, A C (P x r) x D x (P x r*) is a finite set of rules, and 
S = (D, ©, ®, 0, 1) is an idempotent semiring. 

We write pX <—* qa whenever r = (p, X, d, q, a) £ A and call d the weight 
of r, denoted by d r . We consider only rules where \a\ < 2. (It is well-known that 
every WPDS can be translated into a one that obeys this restriction and is larger 
by only a constant factor, see, e.g., [20]. The reduction preserves reachability.) 
We let the symbols A, Y, Z range over r and a, [3, 7 range over r*. 



Example ^. As a running example in this section, we consider a weighted push- 
down system over the semiring with both positive and negative integers as 



A configuration of a weighted pushdown system W is a pair prf where p 6 P 
and 7 € T*. A transition relation => on configurations is defined by pX^j =>■ qaj 

iff 7 G r* and there exists r £ A, where r = (pA <^-> qa). We annotate => 
with the rule r G Z\ which was used to derive the conclusion. If there exists a 
sequence of configurations Co, . . . , c n and rules ri, . . . , r n such that c,_i =4- Cj for 
all i = 1, . . . , n, then we write Cq =§■ c„, where <r := r\ . . . r n . The weight of a is 
defined as v(a) = d ri <8> ■ • ■ §5 c? rn . By definition u(e) = 1. 

Let c,d be two configurations and a £ A* such that c => c' . We call c 
a predecessor of c' and c' a successor of c. In the following, we will consider 
the problem of computing the set of all predecessors pre*(cj) and successors 
post*{cf) for a given configuration c/ . Due to space limitations we provide the full 
treatment only for the predecessors; the computation of successors is analogous 
and it is provided in Appendix C. 

Let us fix a WPDS W and a target configuration Cf, where Cf = p/e for some 
control state pf. For any configuration c of W, wc want to know the minimal 
weight of a path from c to Cf. If a path of minimal weight does not exist for 
every c, we want to detect such a case. In our applications (see Section 4), this 
situation usually indicates the existence of an error. 

Remark 2. In the literature, it is more common to consider a regular set C of 
target configurations. This problem, however, reduces to the one with only a 
single target configuration Cf. The reduction can be achieved by extending W 
with additional 'pop' rules that simulate a finite automaton for C; the 'pop' 
rules will succeed in reducing the stack to c/ iff they begin with a configuration 
in C. For details, see [19], Section 3.1.1. 

At an abstract level, we are interested in solutions for the following equation 
system, in which each configuration c is represented by a variable [c] . Intuitively, 
the greatest solution (if it exists) for the variable [c] will correspond to the 
minimum (w.r.t. the combine operator) of accumulated weights over all paths 
leading from the configuration c to c/. 



Let us consider the Klccnc sequence (K^)fceN for (1). By k>v we denote the 
entry for configuration c in the fc-th iteration of the Kleene sequence. 

Lemma 2. For k > 1 and any configuration c, the following holds 





(1) 



hi 



c]=0M^)l c ^ c /> M<*}- 



Thus, [c] is a witness component of (1) iff no path of minimal weight exists, 
because it is possible to construct longer and longer paths with smaller and 
smaller weights. On the other hand, if (1) has a greatest fixed point, then the 
fixed point at [c] gives the combine of the weights of all sequences leading from 
c to Cf, commonly known as the meet-over-all-paths. However, (1) defines an 
infinite system of equations, which we cannot handle directly. In the following, 
wc shall derive a finite system of equations, from which we can determine the 
greatest fixed point of (1) or the existence of a witness component. 

Definition 6 (Pop Sequence). Let p,q be control states and X be a stack 
symbol. A pop sequence for p, X, q is any sequence a £ A* such that pX => qe. 

Let us consider the following polynomial equation system, in which the vari- 
ables arc triples [pXq], where p, q are control states and X a stack symbol: 

[pXq] = (§d © (d®[rYq\) e (d®©([ry*]®[*Zg])V (2) 

Intuitively, Equation (2) lists all the possible ways in which a pop sequence for 
p, X, q can be generated and computes the values accumulated along each of 
them. 

Example 5. Let us consider the WPDS W ex from Example 4. Here, the scheme 
presented in (2) yields a system with eight variables and equations, four of which 
are reproduced below. 

[pXp] = min{l + [qYp], 1 + [pXp] + [pYp], 1 + [pXq] + [qYp]} [pYp] = 1 
[pXq] = min{l + [qYq], 1 + [pXp] + \pYq], 1 + [pXq] + [qYq]} [qYq] = -2 

Notice that the other four variables would be simply assigned to the element, 
in this case oo. □ 

We now examine the Kleene sequence (n^)fceN for (2). 
Lemma 3. For any k > 1, control states p, q, and stack symbol X , 

0{ v(a) | c £ c f , M < 2*- 1 } C «^ E 0{ v(a) | c ^ c f , \a\ < k - 1 } . 

Thus, [pXq] is a witness component of (2) iff no minimal-weight pop sequence 
exists for p, X, q. On the other hand, if no witness component exists, then the 
value of [pXq] in the greatest fixed point denotes the combine of the weights of 
all pop sequences for p, X, q. 

We now show how (2) can be used to derive statements about (1). Let a 
configuration c = pX\ . . . X n be a predecessor of c/. Then any sequence a leading 
from c to Cf can be subdivided into subsequences a%, . . . , a n and there exist states 
p =: po,pi, ■ . • , p n -i,p n := Pf such that cr, is a pop sequence for Pi-i, Xi,pi, for 
alH = 1, . . . , n. As a consequence, we can obtain a solution for (1) from a solution 



for (2): suppose that A is the greatest fixed point of (2), and let /ibea vector 
of configurations as follows: 

^[c] = {\ P x lPl }® ■ ■ ■ ® \ Pn ^ 1 x nPf ]), for c = pX 1 ...X n . (3) 
pi,...,p„_i 

It is easy to see that (3) "sums up" all possible paths from c to c/, and therefore 
yields the meet-over-all-paths for c. Thus, fi is a solution (greatest fixed point) 
of (1). On the other hand, if (1) has a witness component, then (2) must also 
have one. 

Theorem 2. Applying Algorithm 1 to (2) either yields a witness component or, 
via (3), the greatest fixed point of (1). 

Example 6. Once again, consider W ex from Example 4 and the equation system 
from Example 5. Here, the Kleene sequence quickly converges to the values 1 for 
[pKjj], —2 for [gy<7], and oo for all other variables except [pXg], which turns 
out to be a witness component of (2). Indeed, one can construct a series of pop 

1 — 2 

sequences for p, X, q with smaller and smaller weights, e.g. pX =^ qY =>- qe, and 

1 1 — 2 —2 

pX =>■ pXY => qYY => qY =>- qe, and etc. with weights —1, —2 etc. If Cf = qe, 
this implies that, e.g., pX is a witness component of (1). On the other hand, qY 
or qYY would not be a witness components, because their values in (3), would 
not be affected by the variable [pXq] and evaluate to —2 and —4, respectively. 

□ 

Remark 3. The size of the equation system (2) is polynomial in W. Notice that it 
makes sense to generate equations only for such triples p, X, q in which pX occurs 
on the left-hand side or right-hand side of some rule. Under this assumption, the 
number of equations in (2) is 0(|P| • \A\), and its overall size is C(|P| 2 • \A\), 
the same complexity as in the algorithms for computing predecessors in [3]. 
According to Theorem 1, Algorithm 1 therefore runs in C(|P| 3 - \A\ 2 ) time on (2). 
For any configuration c of interest, the value \x c in (3) can be easily obtained 
from the result of Algorithm 1. See also the W-automaton technique in the 
subsection to follow. A similar conclusion about the complexity of the algorithm 
for computing successors can be drawn thanks to the (linear) connection between 
forward and backward reachability analysis described in Appendix C. 

3.1 Weighted Automata 

For (unweighted) pushdown systems, it is well-known that reachability preserves 
regularity; in other words, given a regular set of configurations, the set of all pre- 
decessors resp. successors is regular. Moreover, given a finite automaton recogniz- 
ing a set of configurations, automata recognizing the predecessors or successors 
can be constructed in polynomial time (see, e.g., [3]). 

It is also known that the results carry over to weighted pushdown systems 
provided that the semiring is bounded, i.e., there are no infinite descending chains 
w.r.t. C [19]. For this purpose, so-called weighted automata are employed. 



Definition 7 (Weighted W- Automaton). Let W = (P,T,A,S) be a push- 
down system over a bounded semiring S. A W- automaton is a 5-tuple A = 
(Q, r, — P, F) where Q is a finite set of states, —>CQxTxDxQisa finite 
set of transitions, P C Q, i.e. the control states ofW, are the set of initial 
states and F C Q is a set of final (accepting) states. 

Let 7T = ti . . .t n be a path in A, where t^ = (g^, X$, d i7 qi+i) for all 1 < i < n. 
The weight of it is defined as v(tt) := d\ ® ■ ■ ■ ® d n . If qi S P and q n +i £ F, 
then we say that tt accepts the configuration q\Xi . . . X n . Moreover, if c is a 
configuration, we define 11.4(c) as the combine of all v(tt) such that tt accepts c. 
In this case, we also say that A accepts c with weight v^(c). 

In [19] the following problem is considered for the case of bounded semirings: 
compute a W-automaton A such that va{c) equals the meet-over-all-paths (or 
equivalently the greatest fixed point of (1), which always exists for bounded 
semirings) from c to c/, for every configuration c. 

We extend this solution to the case of unbounded semirings, using Theorem 2. 
We first apply Algorithm 1 to the equation system (2) . If the algorithm yields the 
greatest fixed point, then wc construct a W-automaton A — (P, r, — P, {c/}), 
with (p, X, d,q) G — > for all p, X, q such that d is the value of [pXq] in the 
greatest fixed point computed by Algorithm 1 . Given a configuration c, it is easy 
to see that iu(c) yields the same result as in (3). 

Example 7. The automaton arising from Example 6 is depicted below where the 
witness component is marked by _L and transitions with the value 00 are omitted 
completely. 



The problem of computing successors is also considered in [19], i.e., comput- 
ing a W-automaton A where v^{c) is the meet-over-all-paths from an initial 
configuration cq to c. Using our technique, this result can also be extended to 
unbounded semirings; Appendix C shows an equation system for this problem, 
which can be converted into a W-automaton for post*(co) in analogous fashion. 

4 Applications 

Here we outline some applications of the theory developed in this paper. Unless 
stated otherwise, we will consider the semiring Si n t as described in Example 1. 
Following Remark 1 and Corollary 1 , we assume that all nonterminating compo- 
nents can be detected in this semiring and the corresponding transitions in the 
W-automaton will be assigned the value _L. The terminating components resp. 
the corresponding transitions in the W-automaton take the computed value. 

Note that the previously known approaches to reachability in weighted push- 
down automata are not applicable to any of the below presented cases because 
they required the semiring to be bounded (no infinite descending chains). Bound- 
edncss is, however, not satisfied in any of our applications. Our first two applica- 
tions are new and we are not aware of any other algorithms that could achieve the 
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same results. Our third application deals with shape-balanccdness of context-free 
languages, a problem for which an algorithm was recently described in [23]. 

Memory Allocations in Linux Kernel. Correct memory allocation and dealloca- 
tion is crucial for the proper functionality of an operating system. In Linux the 
library linux/gfp.h is used for allocation and deallocation of kernel memory 
pages via the functions alloc_pages and _free_pages respectively. The func- 
tions which are argumcntcd with a number n (also called the order) allocate or 
deallocate 2™ memory pages. Citing [15, page 187]: "You must be careful to free 
only pages you allocate. Passing the wrong struct page or address, or the incor- 
rect order, can result in corruption." This means that a basic safety requirement 
is: never free more pages than what are allocated. 

As most questions about real programs are in general undecidable, several 
techniques have been suggested to provide more tractable models. For example 
so-called boolean programs [2] have recently been used to provide a suitable 
abstraction via pushdown systems. Assume a given pushdown system abstraction 
resulting from the program code. The transitions in the pushdown system are 
labelled with the programming primitives, among others the ones for allocation 
and deallocation of memory pages. If a given pushdown transition allocates 2 n 
memory pages, we assign it the weight 2"; if it deallocates 2" pages, we assign 
it the weight —2"; in all other cases the weight is set to 0. 

Now the pushdown abstraction corrupts the memory iff a configuration is 
reachable from the given initial configuration pX with negative weight. As shown 
in Section 3, we can in polynomial time (w.r.t. to the input pushdown system W) 
construct a W-automaton A for post* ({pX}). For technical convenience, we 
first replace all occurrences of _L in A with — oo. From all initial control-states 
of A we now run e.g. the Bellman-Ford shortest path algorithm (which can 
detect negative cycles and assign the weight to — oo should there be such) to 
check whether there is a path going to some accept state with an accumulated 
negative weight. This is doable in polynomial time. If a negative weight path 
is found this means that the corresponding configuration is reachable with a 
negative weight, hence there is a memory corruption (at least in the pushdown 
abstraction). Otherwise, the system is safe. All together our technique gives a 
polynomial time algorithm for checking memory corruption with respect to the 
size of the abstracted pushdown system. Also depending on whether under- or 
over-approximation is used in the abstraction step, our technique can be used 
for detecting errors or showing the absence of them, respectively. 

Correspondence Assertions. In [24] Woo and Lam analyze protocols using the 
so-called correspondences between protocol points. A correspondence property 
relates the occurrence of a transition to an earlier occurrence of some other 
transition. In sequential programs (modelled as pushdown systems) assume that 
assertions of the form begin I and end £ (where £ is a label taken from a finite set 
of labels) arc inserted by the programmer into the code. The program is safe if for 
each end £ reached at a program point there is a unique corresponding begin £ at 
an earlier execution point of the program. Verifying safety via correspondence 



assertions can be done using a similar technique as before. For each label I 
we create a weighted pushdown system based on the initially given boolean 
program abstraction where every instruction begin I has the weight +1, every 
instruction end I the weight — 1, and all other instructions have the weight 0. 
Now the pushdown system is safe if and only if every reachable configuration 
has nonnegative accumulated weight. This can be verified in polynomial time as 
outlined above. 

Shape- Balancedness of Context-Free Languages. In static analysis of programs 
generating XML strings and in other XML-related questions, the balancedness 
problem has been recently studied (see e.g. [1,11,16]). The problem is, given 
a context-free language with a paired alphabet of opening and closing tags, to 
determine whether every word in the language is properly balanced (i.e. whether 
every opening tag has a corresponding closing tag and vice versa). Tozawa and 
Minamide recently suggested [23] a polynomial time algorithm for the problem. 
Their involved algorithm consists of two stages and in the first stage they test for 
the shape-balancedness property, i.e., if all opening tags as well as closing tags 
are treated as of the same sort, is every accepted word balanced? Assume a given 
pushdown automaton accepting (by final control-states) the given context-free 
language. If we label all opening tags with weight +1 and all closing tags with 
weight — 1, the shape-balancedness question is equivalent to checking (i) whether 
every accepted word has the weight equal to and (ii) whether all configura- 
tions on every path to some final control-state have nonnegative accumulated 
weights. Our generic technique provides polynomial time algorithms to answer 
these questions. 

To verify property (i), we first consider the semiring Si nt = (Z^min, + , oo, 0). 
We now construct in polynomial time for the given initial configuration pX a 
weighted post* ({pX}) W-automaton A, replace all labels _!_ with — oo, and for 
each final control-state q (of the pushdown automaton) we find in A a shortest 
path from q to every accept state of A. This can be done in polynomial time 
using e.g. the Bellman-Ford shortest path algorithm, which can moreover detect 
negative cycles and set the respective shortest path to — oo. If any of the shortest 
paths are different from 0, we terminate because the shape-balancedness prop- 
erty is broken. If the system passes the first test, we run the same procedure once 
more but this time with the semiring (ZU {— oo}, max, +, — oo, 0) and where _L is 
replaced with oo, i.e., we are searching for the longest path in the automaton A. 
Again if at least one of those paths has the accumulated weight different from 0, 
we terminate with a negative answer. If the pushdown system passes both our 
tests, this means that any configuration in the set post*({pX}) starting with 
some final control-state (of the pushdown automaton) is reachable only with the 
accumulated weight and we can proceed to verify property (ii). 

For (ii), we construct the weighted post* ({pX}) W-automaton for the integer 
semiring Si n t- Now we restrict the automaton to contain only those configura- 
tions that can really involve into some accepting configuration by simply inter- 
secting it (by the usual product construction) with the unweighted W-automaton 
(of polynomial size) representing pre*((q\ + • • • + q n )r*) where qi, . . . ,q n are all 



final control-states and r is the stack alphabet. Property (ii) now reduces to 
checking whether the product automaton accepts some configuration with neg- 
ative weight, which can be answered in polynomial time using the technique 
described in our first application. 

Unfortunately, [23] provides no complexity analysis other than the state- 
ment that the algorithm is polynomial. Our general-purpose algorithm, on the 
other hand, immediately provides a precise complexity bound. Consider a given 
context-free grammar of size n over some paired alphabet. It can be (by the stan- 
dard textbook construction) translated into a (weighted) pushdown automaton 
of size 0(n) and moreover with a constant number of states. As mentioned in 
Section 3, this automaton can be normalized in linear time and we can then 
build a weighted post* ({pX}) W-automaton, of size 0(n 2 ) with 0(n) states and 
in time 0(n 4 ). Details can be found in Appendix C. Now running the Bellman- 
Ford algorithm twice in order to verify property (i) takes only the time 0(n 3 ). 
In property (ii) the Bellman-Ford algorithm is run on a product of the weighted 
post* automaton and an unweighted pre* automaton, which has only a constant 
number states. Hence the size of the product is still 0(n 2 ) and Bellman-Ford 
algorithm will run in time 0(n 3 ) as before. This gives the total running time 
of 0(n 4 ). 

5 Conclusion 

We presented a unified framework how to deal with intcrprocedural dataflow 
analysis on weighted pushdown automata where the weight domains might con- 
tain infinite descending chains. The problem was solved by reformulating it via 
generalized fixed-point equations which required polynomials of degree two. To 
the best of our knowledge this is the first approach that enables to handle this 
kind of domains. On the other hand, we do not consider completely general 
idempotent semirings as we require that the elements in the domain are totally 
ordered and that extend preserves inequality Nevertheless, we showed that our 
theory is still applicable. Already the reachability analysis of weighted pushdown 
automata over the integer semiring, one particular instance of our general frame- 
work, was not known before and we provided several examples of its potential 
use in verification. 

Regarding the two restrictions we introduced, we claim that the first condi- 
tion of total ordering can be relaxed to ordcrings of bounded width, where the 
maximum number of incomparable elements is bounded by some a priori given 
constant c. By running the main loop in Algorithm 1 cn + 1 times, we should 
be able to detect nontermination also in this case. The motivation for introduc- 
ing bounded width comes from the fact that this will allow us to combine (via 
the product construction) one unbounded domain, like e.g. the integer semiring, 
with a fixed number of finite domains in order to observe additional properties 
along the computations. The question whether the second restriction (extend 
preserves inequality) can be relaxed as well remains open and is a part of our 
future work. 
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Appendix 

A Proof of Theorem 1 

The statement about the runtime follows immediately from our definition of K (/) 
If Algorithm 1 returns a fixed point, it is the greatest fixed point as it is the 
result of Kleene's iteration. It remains to show that if the algorithm returns the 
statement of line 1 then this statement in fact holds. 

For that purpose we introduce the concept of derivation trees that was also 
used in [5,4]. It generalizes the well-known notion from language theory to semir- 
ings. In the following we identify a node x of a tree t with the subtree of t rooted 
at x. In particular, we identify a tree with its root. 

Definition 8 (Derivation Tree). Let f be a vector ofn polynomials. A deriva- 
tion tree t of f is an ordered finite tree whose nodes are labelled with both a 
variable Xj (1 < i < n) and a monomial m of fi- We write X v , resp. X m for 
the corresponding labelling- functions. If X m (x) — a^X^a2 ■■■ X ig a s+ i for some 
s > ; then x has exactly s children x±, ...,x s , ordered from left to right, with 
X v (xj) = X tj for all j = 1, . . . , s. 

Notice that a node x in a derivation tree is a leaf if and only if X m (x) = a 
for some constant a G D. The height h(t) of a derivation tree t is the length 
of a longest path from the root to a leaf. For the length, we count the number 
of nodes on the path including both the root and the leaf. The yield Y(£) of 
a derivation tree t with X m (t) = a\X^a2 ■ ■ ■ Xi a a s +i is inductively defined as 
Y(i) = a{Y(ti)a2 • ■ • Y(t s )a s+ i. Figure 1 shows a derivation tree for our running 
example. 



Fig. 1. A derivation tree of height 4 for / = (min{-2, X2+X3}, X 3 + l, min{Xi , X 2 }). 
The labels of a node x are denoted by (X v (x), X m (x)). The yields are written on top 
on the labels. 
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The following proposition is easy to prove by induction on the height (see 
also [4]). 



Proposition 2. Let f be a vector of n polynomials over a semiring. For all 
k G {1, 2, . . .} and all 1 < i < n we have 

k^' = { Y(t) 1 1 is a derivation tree of f with h{t) < k and X v (t) = Xi } . 

Notice that the set of yields in Proposition 2 is always finite and may be empty. 
If it is empty we set 00 = 0. Now we prove the following lemma from which 
the correctness of Algorithm 1 follows immediately. 

Lemma 4. Let f be a vector of n polynomials over a totally ordered idempotent 
semiring such that extend preserves inequality. Let (k,^)^^ denote its Kleene 
sequence. If nf 1 ^ for some 1 < i < n then i is a witness component. 

Proof. In this proof we write a □ b to denote that a C b and a ^ b. We first 
show the following: 

If k\ C f° r some k > n then ^ \Z n\ k ' for some k' > k. (4) 

Let k\ C K,\ k . By Proposition 2 and using the total order of the semiring, 
there is a tree t with X v (t) = Xi such that = Y(t) and h(t) = k > n. So 
there is a path in t from the root to a leaf and some variable Xj with two nodes 
X\,X2 on the path such that A„(xi) = X v (x2) = Xj. Assume w.l.o.g. that x\ is 
closer to the root than x^. As C is a total order, one of the following holds. 

— If Y(x2) E Y(a;i) then construct a tree t' from t by replacing the subtree 
rooted at x\ by the subtree rooted at xi- We have X v (t') = Xi and h{t') = k' 
for some k' < k. By monotonicity of ® (Lemma 1 part (ii)) we have Y(i') C 

ft"! Pro P' 1 ( a ) Ct-'-i Pro P- 2 m ,,,/> 

Y(i). So Y(i) = Kf' C Kf ' E Y(f) C Y(t). Hence, «f } = rcf ' 
which, by Prop. 1(a), implies k\ = n[ k . This contradicts the assumption 
that 7^ «j . So this case does not occur. 

- If Y(xi) C Y(x 2 ) then construct a tree t' from t by replacing the subtree 
rooted at x-i by the subtree rooted at x\. We have X v (t r ) = Xi and h(t') = k' 
for some k' > k. By monotonicity of (Lemma 1 part (ii)) and as extend 
preserves inequality we have K.| fc ^ C Y(t') C Y(£) = K^. So C «| ■ 

This proves our claim (4). 

It follows from the claim and Proposition 1(a) that if n\ k ' C n\ k for 

some k > n then nf^ C 1 for some Z > fc. Hence, if k^™' 1 ^ then 

{/«£ | k G N} is infinite. This completes the proof. □ 

B Proofs of Lemma 2 and Lemma 3 

Lemma 2 claims that in the equation system (1) the following holds for every 
k > 1 and any configuration c: 

«[c] ) =0{fWI^C /j H<fc} 



This follows directly from Proposition 2, and because every derivation tree of 
height k for (1) corresponds to a sequence of k — 1 moves in the WPDS. □ 

Lemma 3 claims that in the equation system (2) the following holds for every 
k > 1, control states p, q, and stack symbol A: 

0{ v(a) | c 4- c/, M < 2*" 1 } C ^ C 0{ v(a) \ c 4 C/ , \a\ < k - 1 } 

A derivation tree of height fc for (2) corresponds to a path in W whose length is 
at least k — 1 (if all internal nodes have just one child) and at most 2 k ~ 1 (if all 
internal nodes have two children). Because of this, and because of Proposition 2, 
the lemma holds. □ 



C Computing Successors in Weighted Pushdown Systems 

In Section 3, we considered the following problem: given a target configuration c/, 
compute (if possible) the meet-over- all-paths from c to c/, for any configuration c. 
In other words, we considered the predecessors of Cf. 

Alternatively one could consider the successors of some source configura- 
tion c s := p s X s and attempt to compute the meet over all paths from c s to c. 
It is possible to adapt the methods from Section 3 to this problem (and in fact, 
this adaptation is used by our applications). 

It is well-known that most results about backward pushdown reachability 
carry over to forward pushdown reachability and vice versa. The easiest expla- 
nation for this is that given a WPDS W, one can construct another WPDS W' 
which makes the movements of W 'in reverse'. More precisely, if W has con- 
trol states P, stack alphabet r, and rules A, then W has control states P' := 

P U { (q, Y) | 3(pX ^ qYZ) g A }, stack alphabet r U {#}, and the following 
rules: 

— if pX qY G A, then qY ^ pX e A'; 

- if pX A qe e A, then qY i pXY E A' for every Y g r U {#}; 

- if pA ^> qFZ g A then i (<?, Y)e and (q, Y)Z A pX in Zi'. 

It is easy to see that whenever pa => q(3 holds in W, then g/3# =5* pa# holds 
for some rule sequence r in W' such that, if a = r\ . . .r n and r = si . . . s m , 
then d ri ® • • • g) d 7 , n = d Sm ® • • • ® d si . Thus, it is possible to reduce forward 
reachability problems to backward reachability problems, and the reduction is 
polynomial. 

It is also possible to tackle the forward reachability problem directly, in which 
case slightly better complexity bounds can be achieved, sec, for instance [3, 
19]. Following the ideas from [3,19], we will present a finite equation system 
that serves as the 'forward analogy' of (2), without proof. Our system has the 
following sets of variables: 

— [pA»], for p g P and X g r, representing the weights of the paths from 
p s X s to pX; 



— \pX(rZ)], for p G P, X G P, and (r, Z) G P', representing the weights of the 
paths from rZ to pX; 

— [pe«], for p £ P, representing the weights of the paths from p s X s to pe; 

— [pe(rZ)], for p g P and (r, Z) G P', representing the weights of the paths 
from rZ to pe; 

— [(pX)F»], for (p, X) g P' and F G P, representing the weights of the paths 
from p s X s to pXY, ending with a 'push' operation; 

— [(pX)Y(rZ)], for (p,X), (r, Z) G P' and F G P, representing the weights of 
the paths from rZ to pXY , ending with a 'push' operation. 

Moreover, we define I(pX) = 1 iff pX = p s X s and otherwise, and E(pX, rZ) = 
1 iff pX = rZ and otherwise, for (p, X) g P'. The equation system is as follows: 

\px*} = i(px)@ ([«r«]®d)e ([(gr)JT.] ® Mgr)]) 

[pX(rZ)] = £(pX,rZ)e ([qY(rZ)]®d)® ([(gF)X(rZ)] ® [pe(gF)]) 

v d 
qY c — >pe 

[pe(rZ)]= ([ 9 y(rZ)] ® d) 

v d 

[(pX)F.] = ([?!/•] ®d) 

[(pX)F(rZ)]= ([g[/(rZ)]®d) 

Intuitively, the right-hand sides of the equations list the possible ways in 
which the paths corresponding to the left-hand-side variables can be generated. 

In analogy with Section 3.1, any solution of h can be converted into a 
post*({p s X s }) W-automaton. Our automaton A has e-edges, and its states are 
P' extended with a final state •. Every variable [sis'], where s,s' G P'U{»} and 
X G P U {e}, and its value in the solution then correspond to a transition of A. 
The meet-over-all-paths for every configuration c can be obtained by identifying 
the paths on which c is accepted by A and computing ^a(c). 

Remark 4- According to [20, 19], the size of the equation system and the number 
of variables is C(|P| • |^| 2 ), therefore the time for Algorithm 1 is C(|P| 2 |Z\| 4 ). 
The resulting automaton has got 0(|P + \A\) states. 



